Analysis
-
max time kernel
120s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
08/01/2025, 07:41
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
7eb39d91e0690aeaedc25509cadf3f6269df12ff88f852d031e2e6a3a496be2eN.exe
Resource
win7-20241010-en
7 signatures
120 seconds
General
-
Target
7eb39d91e0690aeaedc25509cadf3f6269df12ff88f852d031e2e6a3a496be2eN.exe
-
Size
454KB
-
MD5
05e8eb9485a7d8e5f248b84564d228f0
-
SHA1
9a664c81ba6a032b34a9eefccd98031843d2398b
-
SHA256
7eb39d91e0690aeaedc25509cadf3f6269df12ff88f852d031e2e6a3a496be2e
-
SHA512
2575cf2d0aa69628ac1ec6be4e7bc7f70d1dcb1ab8f8b5a209b5058c36182bf4aebf23398f87138feb84052552208ec5a201fec893ea084a851b4c7059c38e5b
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeO:q7Tc2NYHUrAwfMp3CDO
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 42 IoCs
resource yara_rule behavioral1/memory/2600-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/324-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2772-26-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2948-45-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2948-43-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2368-53-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2980-62-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2936-71-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2676-80-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/2676-82-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2804-92-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2448-121-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2456-118-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2456-116-0x0000000000430000-0x000000000045A000-memory.dmp family_blackmoon behavioral1/memory/1512-138-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/912-140-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1516-155-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2784-164-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2200-189-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2272-207-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2500-217-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2200-220-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/1576-229-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/704-227-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1988-246-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2124-266-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1976-299-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1976-298-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2600-317-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/2344-326-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2716-361-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2660-414-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2456-427-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1232-473-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2272-512-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2400-532-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2120-576-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2308-596-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2980-690-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1692-711-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1664-798-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/2156-906-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 324 htjprpx.exe 2772 pxvvvhd.exe 2812 pjxhxh.exe 2948 prftvt.exe 2368 dfphj.exe 2980 phfjjv.exe 2936 xdpdhv.exe 2676 hhtdhp.exe 2804 hvdrxx.exe 2664 bdxbxlr.exe 1780 lpjhtf.exe 2456 brhrf.exe 2448 xrfnnhb.exe 1512 vlptv.exe 912 jfxdjj.exe 1516 ptbpfr.exe 2784 pjvjh.exe 1636 fvlvdhj.exe 1244 xplbp.exe 2200 htrthnj.exe 2632 xvdrl.exe 2272 jlnhnp.exe 2500 lbdvtp.exe 704 hfxxx.exe 1576 hhdpfxt.exe 1988 ldrfphp.exe 1720 fbvxh.exe 1616 dtrjlx.exe 2124 ntxnv.exe 1980 tjtnl.exe 932 lhbfn.exe 1976 njtdph.exe 3060 dppfpd.exe 3052 dfjjbrh.exe 2600 nxdlpf.exe 2344 pbpprx.exe 2256 xppdt.exe 2528 jvhjjx.exe 2884 vdhprf.exe 2840 thrfjl.exe 2716 bjjnvf.exe 2368 jlhvr.exe 536 flrdpn.exe 2728 bpvjfl.exe 2712 rvbnddx.exe 2752 dvrjp.exe 2544 tjbxpv.exe 2064 ndrhvd.exe 2660 hhvthp.exe 672 frppr.exe 2456 tbhjp.exe 2448 rdfnvl.exe 956 dbdfj.exe 1140 bdbnj.exe 2476 rxbppnb.exe 1888 rlhpvfd.exe 2116 rxjthjl.exe 1232 dhhjxnr.exe 928 jlxtvp.exe 1792 xllnt.exe 3036 nrpdr.exe 436 xnrnjh.exe 2260 fbfhxlt.exe 2272 vfrfrvd.exe -
resource yara_rule behavioral1/memory/2600-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/324-9-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/324-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2772-26-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2948-45-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2368-53-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2980-62-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2936-71-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2676-82-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2804-83-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2804-92-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2448-121-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2456-118-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1512-138-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/912-140-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1516-155-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2784-164-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2200-189-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2272-207-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2500-217-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1576-229-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/704-227-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1988-246-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2124-266-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1976-299-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2344-318-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2344-326-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2716-361-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2064-399-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2660-414-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2456-427-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1232-473-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/928-474-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3036-487-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2092-519-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2400-532-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1536-539-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2120-576-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1496-618-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2300-697-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/972-725-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2140-774-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1844-859-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2156-906-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xbxjpbl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrjnr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhtdhp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhlrh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhtrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbjdhhp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ldffdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dhpnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlhrfrh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frrbdb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nphlfpf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jldvxj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fbldbf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bdrbdjf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rdvpddf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrjpbnl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xvxvjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttrphb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vlptv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbxld.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bfxjbl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language blvdthh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tjrrj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjdnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhjrhl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language npxvjf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dnpxb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rpxvn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ndrfntj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlflb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fdvpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rhdvjf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bxndjt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jlrnr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pbnff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhnfdrh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tddvxn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lppbdrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxffj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pxvnhx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rdpnr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bdjvh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hdrnx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fpvjb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hlbhr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language phvxt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dbdjfhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dlfdvj.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2600 wrote to memory of 324 2600 7eb39d91e0690aeaedc25509cadf3f6269df12ff88f852d031e2e6a3a496be2eN.exe 29 PID 2600 wrote to memory of 324 2600 7eb39d91e0690aeaedc25509cadf3f6269df12ff88f852d031e2e6a3a496be2eN.exe 29 PID 2600 wrote to memory of 324 2600 7eb39d91e0690aeaedc25509cadf3f6269df12ff88f852d031e2e6a3a496be2eN.exe 29 PID 2600 wrote to memory of 324 2600 7eb39d91e0690aeaedc25509cadf3f6269df12ff88f852d031e2e6a3a496be2eN.exe 29 PID 324 wrote to memory of 2772 324 htjprpx.exe 30 PID 324 wrote to memory of 2772 324 htjprpx.exe 30 PID 324 wrote to memory of 2772 324 htjprpx.exe 30 PID 324 wrote to memory of 2772 324 htjprpx.exe 30 PID 2772 wrote to memory of 2812 2772 pxvvvhd.exe 31 PID 2772 wrote to memory of 2812 2772 pxvvvhd.exe 31 PID 2772 wrote to memory of 2812 2772 pxvvvhd.exe 31 PID 2772 wrote to memory of 2812 2772 pxvvvhd.exe 31 PID 2812 wrote to memory of 2948 2812 pjxhxh.exe 32 PID 2812 wrote to memory of 2948 2812 pjxhxh.exe 32 PID 2812 wrote to memory of 2948 2812 pjxhxh.exe 32 PID 2812 wrote to memory of 2948 2812 pjxhxh.exe 32 PID 2948 wrote to memory of 2368 2948 prftvt.exe 33 PID 2948 wrote to memory of 2368 2948 prftvt.exe 33 PID 2948 wrote to memory of 2368 2948 prftvt.exe 33 PID 2948 wrote to memory of 2368 2948 prftvt.exe 33 PID 2368 wrote to memory of 2980 2368 dfphj.exe 34 PID 2368 wrote to memory of 2980 2368 dfphj.exe 34 PID 2368 wrote to memory of 2980 2368 dfphj.exe 34 PID 2368 wrote to memory of 2980 2368 dfphj.exe 34 PID 2980 wrote to memory of 2936 2980 phfjjv.exe 35 PID 2980 wrote to memory of 2936 2980 phfjjv.exe 35 PID 2980 wrote to memory of 2936 2980 phfjjv.exe 35 PID 2980 wrote to memory of 2936 2980 phfjjv.exe 35 PID 2936 wrote to memory of 2676 2936 xdpdhv.exe 36 PID 2936 wrote to memory of 2676 2936 xdpdhv.exe 36 PID 2936 wrote to memory of 2676 2936 xdpdhv.exe 36 PID 2936 wrote to memory of 2676 2936 xdpdhv.exe 36 PID 2676 wrote to memory of 2804 2676 hhtdhp.exe 37 PID 2676 wrote to memory of 2804 2676 hhtdhp.exe 37 PID 2676 wrote to memory of 2804 2676 hhtdhp.exe 37 PID 2676 wrote to memory of 2804 2676 hhtdhp.exe 37 PID 2804 wrote to memory of 2664 2804 hvdrxx.exe 38 PID 2804 wrote to memory of 2664 2804 hvdrxx.exe 38 PID 2804 wrote to memory of 2664 2804 hvdrxx.exe 38 PID 2804 wrote to memory of 2664 2804 hvdrxx.exe 38 PID 2664 wrote to memory of 1780 2664 bdxbxlr.exe 39 PID 2664 wrote to memory of 1780 2664 bdxbxlr.exe 39 PID 2664 wrote to memory of 1780 2664 bdxbxlr.exe 39 PID 2664 wrote to memory of 1780 2664 bdxbxlr.exe 39 PID 1780 wrote to memory of 2456 1780 lpjhtf.exe 40 PID 1780 wrote to memory of 2456 1780 lpjhtf.exe 40 PID 1780 wrote to memory of 2456 1780 lpjhtf.exe 40 PID 1780 wrote to memory of 2456 1780 lpjhtf.exe 40 PID 2456 wrote to memory of 2448 2456 brhrf.exe 41 PID 2456 wrote to memory of 2448 2456 brhrf.exe 41 PID 2456 wrote to memory of 2448 2456 brhrf.exe 41 PID 2456 wrote to memory of 2448 2456 brhrf.exe 41 PID 2448 wrote to memory of 1512 2448 xrfnnhb.exe 42 PID 2448 wrote to memory of 1512 2448 xrfnnhb.exe 42 PID 2448 wrote to memory of 1512 2448 xrfnnhb.exe 42 PID 2448 wrote to memory of 1512 2448 xrfnnhb.exe 42 PID 1512 wrote to memory of 912 1512 vlptv.exe 43 PID 1512 wrote to memory of 912 1512 vlptv.exe 43 PID 1512 wrote to memory of 912 1512 vlptv.exe 43 PID 1512 wrote to memory of 912 1512 vlptv.exe 43 PID 912 wrote to memory of 1516 912 jfxdjj.exe 44 PID 912 wrote to memory of 1516 912 jfxdjj.exe 44 PID 912 wrote to memory of 1516 912 jfxdjj.exe 44 PID 912 wrote to memory of 1516 912 jfxdjj.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\7eb39d91e0690aeaedc25509cadf3f6269df12ff88f852d031e2e6a3a496be2eN.exe"C:\Users\Admin\AppData\Local\Temp\7eb39d91e0690aeaedc25509cadf3f6269df12ff88f852d031e2e6a3a496be2eN.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2600 -
\??\c:\htjprpx.exec:\htjprpx.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:324 -
\??\c:\pxvvvhd.exec:\pxvvvhd.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2772 -
\??\c:\pjxhxh.exec:\pjxhxh.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2812 -
\??\c:\prftvt.exec:\prftvt.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2948 -
\??\c:\dfphj.exec:\dfphj.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2368 -
\??\c:\phfjjv.exec:\phfjjv.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2980 -
\??\c:\xdpdhv.exec:\xdpdhv.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2936 -
\??\c:\hhtdhp.exec:\hhtdhp.exe9⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2676 -
\??\c:\hvdrxx.exec:\hvdrxx.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2804 -
\??\c:\bdxbxlr.exec:\bdxbxlr.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2664 -
\??\c:\lpjhtf.exec:\lpjhtf.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1780 -
\??\c:\brhrf.exec:\brhrf.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2456 -
\??\c:\xrfnnhb.exec:\xrfnnhb.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2448 -
\??\c:\vlptv.exec:\vlptv.exe15⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1512 -
\??\c:\jfxdjj.exec:\jfxdjj.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:912 -
\??\c:\ptbpfr.exec:\ptbpfr.exe17⤵
- Executes dropped EXE
PID:1516 -
\??\c:\pjvjh.exec:\pjvjh.exe18⤵
- Executes dropped EXE
PID:2784 -
\??\c:\fvlvdhj.exec:\fvlvdhj.exe19⤵
- Executes dropped EXE
PID:1636 -
\??\c:\xplbp.exec:\xplbp.exe20⤵
- Executes dropped EXE
PID:1244 -
\??\c:\htrthnj.exec:\htrthnj.exe21⤵
- Executes dropped EXE
PID:2200 -
\??\c:\xvdrl.exec:\xvdrl.exe22⤵
- Executes dropped EXE
PID:2632 -
\??\c:\jlnhnp.exec:\jlnhnp.exe23⤵
- Executes dropped EXE
PID:2272 -
\??\c:\lbdvtp.exec:\lbdvtp.exe24⤵
- Executes dropped EXE
PID:2500 -
\??\c:\hfxxx.exec:\hfxxx.exe25⤵
- Executes dropped EXE
PID:704 -
\??\c:\hhdpfxt.exec:\hhdpfxt.exe26⤵
- Executes dropped EXE
PID:1576 -
\??\c:\ldrfphp.exec:\ldrfphp.exe27⤵
- Executes dropped EXE
PID:1988 -
\??\c:\fbvxh.exec:\fbvxh.exe28⤵
- Executes dropped EXE
PID:1720 -
\??\c:\dtrjlx.exec:\dtrjlx.exe29⤵
- Executes dropped EXE
PID:1616 -
\??\c:\ntxnv.exec:\ntxnv.exe30⤵
- Executes dropped EXE
PID:2124 -
\??\c:\tjtnl.exec:\tjtnl.exe31⤵
- Executes dropped EXE
PID:1980 -
\??\c:\lhbfn.exec:\lhbfn.exe32⤵
- Executes dropped EXE
PID:932 -
\??\c:\njtdph.exec:\njtdph.exe33⤵
- Executes dropped EXE
PID:1976 -
\??\c:\dppfpd.exec:\dppfpd.exe34⤵
- Executes dropped EXE
PID:3060 -
\??\c:\dfjjbrh.exec:\dfjjbrh.exe35⤵
- Executes dropped EXE
PID:3052 -
\??\c:\nxdlpf.exec:\nxdlpf.exe36⤵
- Executes dropped EXE
PID:2600 -
\??\c:\pbpprx.exec:\pbpprx.exe37⤵
- Executes dropped EXE
PID:2344 -
\??\c:\xppdt.exec:\xppdt.exe38⤵
- Executes dropped EXE
PID:2256 -
\??\c:\jvhjjx.exec:\jvhjjx.exe39⤵
- Executes dropped EXE
PID:2528 -
\??\c:\vdhprf.exec:\vdhprf.exe40⤵
- Executes dropped EXE
PID:2884 -
\??\c:\thrfjl.exec:\thrfjl.exe41⤵
- Executes dropped EXE
PID:2840 -
\??\c:\bjjnvf.exec:\bjjnvf.exe42⤵
- Executes dropped EXE
PID:2716 -
\??\c:\jlhvr.exec:\jlhvr.exe43⤵
- Executes dropped EXE
PID:2368 -
\??\c:\flrdpn.exec:\flrdpn.exe44⤵
- Executes dropped EXE
PID:536 -
\??\c:\bpvjfl.exec:\bpvjfl.exe45⤵
- Executes dropped EXE
PID:2728 -
\??\c:\rvbnddx.exec:\rvbnddx.exe46⤵
- Executes dropped EXE
PID:2712 -
\??\c:\dvrjp.exec:\dvrjp.exe47⤵
- Executes dropped EXE
PID:2752 -
\??\c:\tjbxpv.exec:\tjbxpv.exe48⤵
- Executes dropped EXE
PID:2544 -
\??\c:\ndrhvd.exec:\ndrhvd.exe49⤵
- Executes dropped EXE
PID:2064 -
\??\c:\hhvthp.exec:\hhvthp.exe50⤵
- Executes dropped EXE
PID:2660 -
\??\c:\frppr.exec:\frppr.exe51⤵
- Executes dropped EXE
PID:672 -
\??\c:\tbhjp.exec:\tbhjp.exe52⤵
- Executes dropped EXE
PID:2456 -
\??\c:\rdfnvl.exec:\rdfnvl.exe53⤵
- Executes dropped EXE
PID:2448 -
\??\c:\dbdfj.exec:\dbdfj.exe54⤵
- Executes dropped EXE
PID:956 -
\??\c:\bdbnj.exec:\bdbnj.exe55⤵
- Executes dropped EXE
PID:1140 -
\??\c:\rxbppnb.exec:\rxbppnb.exe56⤵
- Executes dropped EXE
PID:2476 -
\??\c:\rlhpvfd.exec:\rlhpvfd.exe57⤵
- Executes dropped EXE
PID:1888 -
\??\c:\rxjthjl.exec:\rxjthjl.exe58⤵
- Executes dropped EXE
PID:2116 -
\??\c:\dhhjxnr.exec:\dhhjxnr.exe59⤵
- Executes dropped EXE
PID:1232 -
\??\c:\jlxtvp.exec:\jlxtvp.exe60⤵
- Executes dropped EXE
PID:928 -
\??\c:\xllnt.exec:\xllnt.exe61⤵
- Executes dropped EXE
PID:1792 -
\??\c:\nrpdr.exec:\nrpdr.exe62⤵
- Executes dropped EXE
PID:3036 -
\??\c:\xnrnjh.exec:\xnrnjh.exe63⤵
- Executes dropped EXE
PID:436 -
\??\c:\fbfhxlt.exec:\fbfhxlt.exe64⤵
- Executes dropped EXE
PID:2260 -
\??\c:\vfrfrvd.exec:\vfrfrvd.exe65⤵
- Executes dropped EXE
PID:2272 -
\??\c:\dnpxb.exec:\dnpxb.exe66⤵
- System Location Discovery: System Language Discovery
PID:1056 -
\??\c:\jdlhln.exec:\jdlhln.exe67⤵PID:2092
-
\??\c:\djpdh.exec:\djpdh.exe68⤵PID:2400
-
\??\c:\fltjtn.exec:\fltjtn.exe69⤵PID:2268
-
\??\c:\htvhfb.exec:\htvhfb.exe70⤵PID:1536
-
\??\c:\thtvjpj.exec:\thtvjpj.exe71⤵PID:1720
-
\??\c:\npxbt.exec:\npxbt.exe72⤵PID:1464
-
\??\c:\vhfvdf.exec:\vhfvdf.exe73⤵PID:1616
-
\??\c:\bvjbnf.exec:\bvjbnf.exe74⤵PID:1972
-
\??\c:\prjjb.exec:\prjjb.exe75⤵PID:2120
-
\??\c:\jpbbnpv.exec:\jpbbnpv.exe76⤵PID:856
-
\??\c:\xlxdt.exec:\xlxdt.exe77⤵PID:1880
-
\??\c:\xdxjnh.exec:\xdxjnh.exe78⤵PID:2308
-
\??\c:\lrjrrp.exec:\lrjrrp.exe79⤵PID:2640
-
\??\c:\hhbhvp.exec:\hhbhvp.exe80⤵PID:2396
-
\??\c:\rvprp.exec:\rvprp.exe81⤵PID:2160
-
\??\c:\xtrxvhr.exec:\xtrxvhr.exe82⤵PID:1496
-
\??\c:\pjpnbt.exec:\pjpnbt.exe83⤵PID:668
-
\??\c:\vpjjb.exec:\vpjjb.exe84⤵PID:2888
-
\??\c:\ddvtf.exec:\ddvtf.exe85⤵PID:2944
-
\??\c:\vdfpxt.exec:\vdfpxt.exe86⤵PID:2816
-
\??\c:\hrvrpvt.exec:\hrvrpvt.exe87⤵PID:2920
-
\??\c:\lnjvt.exec:\lnjvt.exe88⤵PID:2908
-
\??\c:\bbjph.exec:\bbjph.exe89⤵PID:2980
-
\??\c:\jrphvxx.exec:\jrphvxx.exe90⤵PID:2696
-
\??\c:\fvrlv.exec:\fvrlv.exe91⤵PID:1968
-
\??\c:\brvhp.exec:\brvhp.exe92⤵PID:2872
-
\??\c:\jfjtlrt.exec:\jfjtlrt.exe93⤵PID:2292
-
\??\c:\bprnr.exec:\bprnr.exe94⤵PID:2300
-
\??\c:\xxtvnv.exec:\xxtvnv.exe95⤵PID:1692
-
\??\c:\ddjfjvn.exec:\ddjfjvn.exe96⤵PID:980
-
\??\c:\tlrjhbd.exec:\tlrjhbd.exe97⤵PID:2984
-
\??\c:\hllxpx.exec:\hllxpx.exe98⤵PID:972
-
\??\c:\rhhjdp.exec:\rhhjdp.exe99⤵PID:1728
-
\??\c:\xlxtbl.exec:\xlxtbl.exe100⤵PID:1764
-
\??\c:\nbrlf.exec:\nbrlf.exe101⤵PID:2928
-
\??\c:\rdjnbr.exec:\rdjnbr.exe102⤵PID:760
-
\??\c:\jfjptvr.exec:\jfjptvr.exe103⤵PID:2952
-
\??\c:\rdpvrbx.exec:\rdpvrbx.exe104⤵PID:2372
-
\??\c:\xhblrf.exec:\xhblrf.exe105⤵PID:1688
-
\??\c:\nfntdt.exec:\nfntdt.exe106⤵PID:2140
-
\??\c:\bhtlr.exec:\bhtlr.exe107⤵PID:2296
-
\??\c:\vflfh.exec:\vflfh.exe108⤵PID:2632
-
\??\c:\trrxrpj.exec:\trrxrpj.exe109⤵PID:1664
-
\??\c:\prxjfph.exec:\prxjfph.exe110⤵PID:2520
-
\??\c:\dtdxbv.exec:\dtdxbv.exe111⤵PID:2556
-
\??\c:\nphlfpf.exec:\nphlfpf.exe112⤵
- System Location Discovery: System Language Discovery
PID:2460 -
\??\c:\dbrxbdr.exec:\dbrxbdr.exe113⤵PID:1704
-
\??\c:\fvtxjt.exec:\fvtxjt.exe114⤵PID:1424
-
\??\c:\rllpptt.exec:\rllpptt.exe115⤵PID:2468
-
\??\c:\frlrf.exec:\frlrf.exe116⤵PID:1712
-
\??\c:\nrbrtb.exec:\nrbrtb.exe117⤵PID:1668
-
\??\c:\hhlrh.exec:\hhlrh.exe118⤵
- System Location Discovery: System Language Discovery
PID:924 -
\??\c:\fthbdr.exec:\fthbdr.exe119⤵PID:1844
-
\??\c:\tbjhpfn.exec:\tbjhpfn.exe120⤵PID:2960
-
\??\c:\bxnth.exec:\bxnth.exe121⤵PID:932
-
\??\c:\vrdhn.exec:\vrdhn.exe122⤵PID:1932
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-